The clue is in the return types:
AuthorizeCore returns a boolean – it is decision making code. This should be limited to looking at the user’s identity and testing which roles they are in etc. etc. Basically it should answer the question:
Do I want this user to proceed?
It should not perform any additional activities “on the side”.
OnAuthorize returns void – this is where you put any functionality that needs to occur at this point. e.g. Write to a log, store some data in session etc etc.